Monitor and Evaluate Internal Control
ME2
© 2007 IT Governance Institute. All rights reserved. www.itgi.org 159
M ANAGEMENT G UIDELINES
Goals and Metrics AI7 Internal control monitoring ME1 Process performance report
Report on effectiveness of IT controls PO4 PO6 ME1 ME4
• Number and coverage of control self-assessments
• Number and coverage of internal controls subject to supervisory review
• Time between internal control deficiency occurrence and reporting
• Number, frequency and coverage of internal compliance reports
• Amount of senior management satisfaction and comfort with reporting on internal control monitoring
• Number of major internal control breaches
• Frequency of internal control incidents
• Number of weaknesses identified by external qualification and certification reports
• Number of control improvement initiatives
• Number of regulatory or legal non-compliance events
• Number of timely actions on internal control issues
Activities
• Defining a system of internal controls embedded in the IT process framework
• Monitoring and reporting on the effectiveness of the internal controls over IT
• Reporting control exceptions to management for action IT
• Ensure that IT services and infrastructure can properly resist and recover from failures due to error, deliberate attack or disaster.
• Protect the achievement of IT objectives.
• Ensure IT compliance with laws, regulations and contracts.
• Account for and protect all IT assets.
Process
• Monitor the achievement of the internal control objectives set for the IT processes.
• Identify internal control improvement actions.
Activities
RACI Chart Functions
CEO CFO
Board Business ExecutiveCIO Business Process OwnerHead Oper ations
Chief Ar chitect
Head DevelopmentHead IT Administr ation
Monitor the performance of independent reviews, audits and examinations. I A R R R C
Monitor the process to obtain assurance over controls operated by third parties. I I I A R R R C
Monitor the process to identify and assess control exceptions. I I I A I R R R C
Monitor the process to identify and remediate control exceptions. I I I A I R R R C
Report to key stakeholders. I I I A/R I
A RACI chart identifies who is Responsible, Accountable, Consulted and/or Informed.
ME2 Monitor and Evaluate Internal Control
Monitor and Evaluate
Monitor and Evaluate Internal Control ME2
From Inputs Outputs To
measure measure measure
drive drive
set set
GoalsMetrics
ME2 Monitor and Evaluate Internal Control
Management of the process of Monitor and evaluate internal control that satisfies the business requirement for IT of protecting the achievement of IT objectives and complying with IT-related laws and regulations is:
0 Non-existent when
The organisation lacks procedures to monitor the effectiveness of internal controls. Management internal control reporting methods are absent. There is a general unawareness of IT operational security and internal control assurance. Management and employees have an overall lack of awareness of internal controls.
1 Initial/Ad Hocwhen
Management recognises the need for regular IT management and control assurance. Individual expertise in assessing internal control adequacy is applied on an ad hoc basis. IT management has not formally assigned responsibility for monitoring the effectiveness of internal controls. IT internal control assessments are conducted as part of traditional financial audits, with methodologies and skill sets that do not reflect the needs of the information services function.
2 Repeatable but Intuitive when
The organisation uses informal control reports to initiate corrective action initiatives. Internal control assessment is dependent on the skill sets of key individuals. The organisation has an increased awareness of internal control monitoring. Information service management performs monitoring over the effectiveness of what it believes are critical internal controls on a regular basis.
Methodologies and tools for monitoring internal controls are starting to be used, but not based on a plan. Risk factors specific to the IT environment are identified based on the skills of individuals.
3 Defined when
Management supports and institutes internal control monitoring. Policies and procedures are developed for assessing and reporting on internal control monitoring activities. An education and training programme for internal control monitoring is defined. A process is defined for self-assessments and internal control assurance reviews, with roles for responsible business and IT managers. Tools are being utilised but are not necessarily integrated into all processes. IT process risk assessment policies are being used within control frameworks developed specifically for the IT organisation. Process-specific risks and mitigation policies are defined.
4 Managed and Measurable when
Management implements a framework for IT internal control monitoring. The organisation establishes tolerance levels for the internal control monitoring process. Tools are implemented to standardise assessments and automatically detect control exceptions.
A formal IT internal control function is established, with specialised and certified professionals utilising a formal control framework endorsed by senior management. Skilled IT staff members are routinely participating in internal control assessments. A metrics knowledge base for historical information on internal control monitoring is established. Peer reviews for internal control monitoring are established.
5 Optimised when
Management establishes an organisationwide continuous improvement programme that takes into account lessons learned and industry good practices for internal control monitoring. The organisation uses integrated and updated tools, where appropriate, that allow effective assessment of critical IT controls and rapid detection of IT control monitoring incidents. Knowledge sharing specific to the information services function is formally implemented. Benchmarking against industry standards and good practices is formalised.
M ATURITY M ODEL
Monitor and Evaluate
Monitor and Evaluate Internal Control
ME2
161
© 2007 IT Governance Institute. All rights reserved. www.itgi.org
P ROCESS D ESCRIPTION
Control over the IT process of
Ensure compliance with external requirements
that satisfies the business requirement for IT of
ensuring compliance with laws, regulations and contractual requirements by focusing on
identifying all applicable laws, regulations and contracts and the corresponding level of IT compliance and optimising IT processes to reduce the risk of non-compliance
is achieved by
• Identifying legal, regulatory and contractual requirements related to IT
• Assessing the impact of compliance requirements
• Monitoring and reporting on compliance with these requirements and is measured by
• Cost of IT non-compliance, including settlements and fines
• Average time lag between identification of external compliance issues and resolution
• Frequency of compliance reviews